Sensitive information protection remains tough

The government’s ability to share sensitive but unclassified information data securely has become central to coordinating counterterrorism efforts, in part because many local officials don't have the security clearances needed to make use of classified information.

Layers of protection

President Barack Obama has directed senior officials to review the controlled unclassified information framework that former President George W. Bush laid out in May 2008 for categorizing sensitive but unclassified terrorism-related data as part of the federal information-sharing environment. Obama wants his team to find ways to track agencies' progress in adopting the CUI framework and examine whether the CUI framework's scope should be broadened beyond terrorism-related information to include all SBU data.

The three categories for CUI data identified by Bush are:

Controlled with standard dissemination. Dissemination is allowed to the extent that it advances a lawful or official purpose.

Controlled with specified dissemination. This is information that requires safeguarding to reduce the risks of inadvertent disclosure and contains additional dissemination restrictions.

Controlled enhanced with specified dissemination. This information requires the most stringent safeguards because unauthorized disclosure could produce significant harm.

The information technology challenges to securing SBU networks are complex, especially for those that cross jurisidictional boundaries. Unlike classified networks that sit behind lock and key and are accessible only to users with security clearances, people who sign on to SBU networks come from a variety of different organizations with different missions, needs and security standards.

Last month, Federal Computer Week reported that someone hacked into the Homeland Security Information Network (HSIN), a Homeland Security Department platform for sharing SBU data with state and local authorities. Although a DHS official said the amount of compromised data was relatively minor, the incident underscores the complexities of securing SBU networks.

Even before the intrusion, DHS had been in the process of upgrading HSIN to better meet user needs and improve security. That upgrade is complicated by the myriad requirements that different users have for the system. Meanwhile, in addition to HSIN, state and local authorities also use platforms such as the FBI’s Law Enforcement Online network and the Justice Department-funded Regional Information Sharing System to share SBU data.

In coming months, the Office of the Director of National Intelligence’s Program Manager for the Information Sharing Environment (PM-ISE) plans to examine the different systems to ensure that the various SBU networks are interoperable and secure. Then the PM-ISE plans to publish a segment architecture for the interoperability of SBU systems that support the federal information sharing environment related to terrorism-related data.

“You’ve got these different systems, and they serve different communities of interest, groups — sometimes those groups overlap, but many times, they have their own purposes, their own needs, their own business processes,” said Clark Smith, PM-ISE’s executive for programs and technology.

Smith said PM-ISE is interested in determining how the systems interoperate securely. User authentication is one of the major security questions PM-ISE needs to resolve, he said.

“We would be looking at things like identity management and the levels of assurance you need on identity for those systems,” Smith added.

In addition to technology concerns, different systems use different languages to describe SBU data. Federal agencies have more than 100 unique identifiers for SBU data and more than 130 methods for handling SBU information.

“In the absence of a single, comprehensive framework that is fully implemented, the persistence of multiple categories of SBU, together with institutional and perceived technological obstacles to moving toward an information-sharing culture, continues to impede collaboration and the otherwise authorized sharing of SBU information among agencies, as well as between the federal government and its partners in state, local, and tribal governments and the private sector,” President Barack Obama said May 27 in a memo directing a review of the framework for categorizing SBU data.

“There’s two parts of this puzzle," said John Cohen, senior adviser to PM-ISE. "One is process and policy and the other is technology,”

Meanwhile, Stephen Serrao, a former high-ranking intelligence official at the New Jersey State Police and now Memex’s product manager for the Americas region, said the situation is also complicated by how multijurisdictional information-sharing centers across the country manage IT.

Memex provides data management, analysis, information-sharing and intelligence management solutions to several state and local intelligence fusion centers, which are the primary users of SBU networks. In his role with Memex, Serrao visited several fusion centers and other information-sharing centers. He found that the agencies involved in collaborative efforts often divide up responsibility for various IT functions, rather than designating one agency to coordinate all of it.

“I don’t think enough attention is being paid to infrastructure and the IT aspects of these fusion centers and these multijurisdictional task forces,” he said. “There’s no one dedicated overall to manage the network, to serve as the security officer, and to provide the type of cohesive strategy or security strategy that might be necessary.”

Serrao said assigning responsibility for various IT aspects to different agencies in a multijurisdictional task force or fusion center is a recipe for disaster.

“Full-time IT resources have to be part of any fusion center or any multijurisdictional task force,” he said.

Reader comments

Mon, Jun 29, 2009
Larry Bruner

Number 1: SBU is not classified info and under DOD standards may not require a clearance to have access.

Number 2: Why do we need an CUI category when SBU alrerady exsist and procedures for controlling it isalready established? To go a step farther, why do we need SBU when all it is, is For Offial Use Information. It seems that these new requirements are intiated without checking with security managers who deal with these issues on a daily basis.

Number 3: In DOD all that is required to have access to a computer system is a Natioal Agency Check. No security clearance is required unless access to Confidential, Secret or Top Secret is required.

THIS ARTICLE SEEMS TO HAVE BEEN WRITTEN BY A INDIVIDUAL WHO DOES NOT KNOW HOW THE SYSTEM REALLY WORKS.

Tue, Jun 16, 2009
das

I think you might have missed the CUI Framework that already exists:
http://www.archives.gov/cui/
We don't need any more "comprehensive reviews"; we need to implement the new CUI (nee SBU) framework that already exists.

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.